Management Booklet
IT Management Booklet
This booklet provides guidance to examiners and financial institution management. The examination procedures in this booklet assist examiners in evaluating financial institution risk management processes to ensure effective information technology (IT) management.
Effective IT management in financial institutions maximizes the benefits from technology and supports enterprise-wide goals and objectives. The IT department typically leads back-office operations, network administration, and systems development and acquisition efforts. IT management also provides expertise in choosing and operating technology solutions for an institution’s lines of business such as commercial credit and asset management, or enterprise-wide activities such as security and business continuity planning. This dual role and the increasing use of technology raise the importance of IT management in effective corporate governance.
Management of IT in financial institutions is critical to the performance and success of an institution. Sound management of technology involves more than containing costs and controlling operational risks. An institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success. The board of directors and executive management should understand and take responsibility for IT management as a critical component of their overall corporate governance efforts.
The IT Governance Institute defines IT governance as "an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives." Due to the reliance on technology, effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution. Financial institutions face many challenges in today’s marketplace that increase the importance of IT management.
- Technology is becoming a commodity that is pervasive across all institutions and all business units within an institution.
- Institution systems connect with customers, business lines, third parties, and the public.
- Technology has created interdependencies among the infrastructure, applications, web content, and the decision-making process necessary to support the delivery of new products and services.
- Timely and accurate information is critical to meeting business requirements throughout the organization.
- The industry continues to experience rapid changes in technologies prompting new investment in infrastructure, systems, and applications.
- New technology requires new expertise, which creates competition for the necessary talent, knowledge, and skill sets.
Effective IT management can leverage opportunities from these challenges while strengthening an institution’s ability to manage risk. Advances in technology can result in the ability to offer new products and services to customers, to increase efficiency of operations, to ease the sharing of information between business lines, and to better prepare the institution for future competition. The board of directors and executive management should also understand that new technology and changes in technology could introduce new sources of risk to the institution. External connectivity with non-bank systems, reliance on third parties, involvement in e-commerce, and adoption of new payment systems are some examples that may introduce new or increased operational risk associated with the confidentiality, integrity, and availability of systems and information. Changes in technology may not only introduce new operational risks to manage, but can also introduce an institution to increased risk to its reputation or legal standing. Therefore, IT management is an essential component of effective corporate governance and operational risk management.
This booklet has four parts. First, it provides an overview of how IT management relates to operational and non-operational risks. Second, it describes the structural issues associated with IT oversight. After reviewing the risks and structural issues, the booklet next describes a process for managing technology related risks. The final section provides additional guidance for companies providing technology services to financial institutions.